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We compare mechanisms for compensation handling and dynamic update in calculi for concuiTency. 

These mechanisms are increasingly relevant in the specification of reliable communicating systems. 
Compensations and updates are intuitively similar: both specify how the behavior of a concurrent 
system changes at runtime in response to an exceptional event. However, calculi with compensations 
and updates are technically quite different. We investigate the relative expressiveness of these calculi: 
we develop encodings of core process languages with compensations into a calculus of adaptable 
processes developed in prior work. Our encodings shed light on the (intricate) semantics of compen¬ 
sation handling and its key constructs. They also enable the transference of existing verification and 
reasoning techniques for adaptable processes to core languages with compensation handling. 

1 Introduction 

Many software applications are based on long-running transactions (LRTs). Frequently found in service- 
oriented systems [8], LRTs are computing activities which extend in time and may involve distributed, 
loosely coupled resources. These features sharply distinguish LRTs from usual (database) transactions. 
One particularly delicate aspect of LRTs management is handling (partial) failures: mechanisms for de¬ 
tecting failures and bringing the LRT back to a consistent state need to be explicitly programmed. As 
designing and certifying the correctness of such mechanisms is error prone, the last decade has seen the 
emergence of specialized constructs, such as exceptions and compensations, which offer direct program¬ 
ming support. Our focus is in the latter: as their name suggests, compensation mechanisms are meant to 
compensate the fact that an LRT has failed or has been aborted. Upon reception of an abortion or failure 
signal, compensation mechanisms are expected to install and activate alternative behaviors for recovering 
system consistency. Such a compensation behavior may be different from the LRT’s initial behavior. 

A variety of calculi for concurrency with constructs for compensation handling has been pro¬ 
posed (see, e.g., nmiiiiiii). Building upon the tradition and approach of mobile process calculi such 
as the TT-calculus lIT^ . they capture different forms of error recovery and offer reasoning techniques 
(e.g., behavioral equivalences) on communicating processes with compensation constructs. The relative 
expressive power of such proposals has also been studied |l4]|5][T2][T3l. On a related but different vein, 
a calculus of adaptable processes has been put forward as a process calculus approach to specify the 
dynamic evolution of interacting systems |(2j. It is intended as a way of overcoming the limitations that 
process calculi have for describing patterns of dynamic evolution. In this calculus, process behaviors may 
be enclosed by nested, transparent locations', actions of dynamic update are targeted to particular loca¬ 
tions. This model allows us to represent a wide range of evolvability patterns for concurrent processes. 
The theory of adaptable processes includes expressiveness, decidability, and verification results EllJl, as 
well as the integration with structured communications governed by session types l^fTOl. 

Adaptable processes specify forms of dynamic reconfiguration which are triggered by exceptional 
events, not necessarily catastrophic. For instance, an external request for upgrading a working component 
is an exceptional event which is hard to predict and entails a modification of the system’s behavior. Still, 
it is certainly not an error or a failure. Thus, adaptation intuitively appears to us as a general phenomenon 
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which includes the (negative) exceptional events dealt by compensations. That is, it should be possible to 
represent failures and compensation activities as particular instances of the behaviors expressible in [2|. 

In this paper, we make this intuitive observation precise by encoding calculi with compensations 
into adaptable processes. Our motivation is twofold. First, given the diversity of linguistic constructs for 
compensations, understanding how they can be implemented as adaptable processes could shed new light 
in their formal underpinnings. Since adaptable processes have a simple semantics (based on higher-order 
process communication ITtI ). the envisaged encodings could suggest alternative semantics for existing 
formalisms. Second, given that adaptable processes have been developed in several directions, encodings 
of calculi with compensations into adaptable processes could enable the transference of, e.g., decidability 
results or type systems, from adaptable processes to calculi with compensations. 

As source languages in our study, we systematically consider the different classes of calculi with 
compensations developed in |[T2l . a work that offers a unified presentation for many calculi proposed in 
the literature. In particular, we consider processes with static and dynamic compensations, each of them 
with preserving, discarding, and aborting semantics. (All these semantics are illustrated next.) As such, 
we offer six different encodings into adaptable processes, each one equipped with appropriate opera¬ 
tional correspondence results. The encodings are rather involved; in particular, representing preserving, 
discarding, and aborting semantics by means of the transparent locations in proved to be quite chal¬ 
lenging. In our view, the intricate character of our representations into adaptable processes is directly 
related to the intricate semantics of each of the forms of calculi with compensations. 

This paper is structured as follows. §|2] illustrates primitives for adaptable processes and compen¬ 
sation handling; §[3] formally presents the corresponding calculi. In §|4] we define and prove correcf 
encodings of processes wifh sfafic compensations info adapfable processes. We consider aborting, pre¬ 
serving, and discarding semantics. §|5] describes encodings of processes wifh dynamic compensations. 
§0collecfs some concluding remarks. Due fo space resfricfions, omitted proofs can be found online f7i|. 

2 Adaptable and Compensable Processes, By Example 

We give an infuifive accounf of fhe calculus of adaptable processes (infroduced by Braveffi el al. fj]) and 
of fhe core calculus wifh primilives for compensation handling (as presenfed by Lanese el al. II121I13II ). 

Adaptable Processes. The calculus of adaptable processes was infroduced in f2l as a varianl of Mil¬ 
ner’s CCS ITSll (wilhoul reslriclion and relabeling), extended wifh fhe following Iwo conslrucfs, aimed 
al representing fhe dynamic reconfiguralion (or update) of acfive communicaling processes: 

1. A located process, denoted l[P], represenls a process P which resides in a locafion called 1. Locations 
are transparent: fhe behavior of I [P] is fhe same as fhe behavior of P. Locations can also be arbilrarily 
nested, which allows lo organize process descriplions info meaningful hierarchical slruclures. 

2. An update prefix 1{{X).Q} —where A is a process variable lhal occurs zero or more times in Q — 
denotes an adaplalion mechanism for processes located al location 1. 

This way, in fhe calculus of adapfable process fhe possibilily of updaling a (locafed) process behavior is 
given fhe same slalus as communicafion prefixes. Inluifively, an updale prefix for locafion I is able lo 
inleracl wifh a located process al I, updaling ils currenf behavior. This is caplured by fhe reduction rule 

Ci[Z[P]] \C2[1{{X).Q}.R] -^Cy[Q{P/X}] |C2[P] 

where Ci and C 2 denole contexts which may describe, e.g., nesled localions and parallel componenls. 
Therefore, fhe adaplalion mechanism (embodied by 1{{X).Q}) moves lo fhe place where Z[P] resides (Ci 
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above) and exercises a dynamic update there, as represented by substitution Q{P/X}. As such, adaptation 
is a form of higher-order process communication ini. Observe that Q may not contain X, so the current 
behavior at I (i.e., P) may get erased as a result of the update. Notice also that this form of adaptation is 
subjective', located processes are influenced by (unknown) update prefixes in their environment. 

Compensable Processes. Our core process language with compensations is based on the calculus 
in ifTSll (a variant of the language in ifT^ ). The languages in are appealing because they uni¬ 

formly capture several different proposals for calculi with compensation handling. These calculi were 
introduced as extensions of the tt- calculus lIT^ with primitives for static and dynamic recovery. How¬ 
ever, in order to focus on the essentials of compensation handling primitives, in this presentation we 
consider a variant of the languages in II121I13II without name mobility. There are three salient constructs: 

1. Transaction scopes (or simply transactions), denoted t[P, Q], where f is a name and P, Q are processes; 

2. Protected blocks, denoted {Q), for some process 2; 

3. Compensation updates, denoted inst YkX.Q\ .P, where P, Q are processes and X is a process variable 
that occurs zero or more times in Q. 

While transactions and protected blocks define static recovery mechanisms, compensation updates are 
used to define dynamic recovery. We now gradually introduce these constructs and their main features. 
Basic Intuitions . A transaction t[P ,Q] consists of a default activity P with a compensation activity Q. 
Transactions can be nested, so process P in t[P,Q] may contain other transactions. Transactions can 
be aborted: intuitively, process t[P ,Q] behaves as P until an error notification (abortion signal) arrives 
along name t. Error notifications are simply output messages which can originate inside or outside the 
transaction. To illustrate the simplest manifestation of compensations, we have the following transitions: 

t[P,Q]\t.R^Q\R t[t.Pi\P2,Q\\R^Q\R 

While the transition in the left shows how a transaction t can be aborted by an external signal, the tran¬ 
sition in the right illustrate abortion due to an internal signal. In both cases, abortion leads to discarding 
the default behavior of the transition, and the compensation activity is executed instead {Q in both cases). 
Protected Blocks . The transitions above illustrate the different sources of abortion signals that lead to 
compensation behaviors. One key element in calculi with compensations primitives are protected blocks'. 
as their name suggests, these constructs protect a process from abortion signals. Similarly as locations, 
protected blocks are transparent: Q and {Q) have the same behavior, but (Q) cannot be affected by 
abortion signals. Protected blocks are meant to prevent abortions after a compensation: 

t2[P2,Q2\ I t2 A {Q 2 ) 

That is, the compensation behavior Q 2 will be immune to external errors thanks to protected blocks. 
Consider now process ti [t 2 [P 2 ,Q 2 ] \ h-R\ ,2i], which includes a transaction named t 2 which is nested 
inside t\. Although in previous examples the default behavior has been erased following an abortion 
signal, the semantics of compensations actually may partially preserve such behavior. This is realized by 
extraction functions, denoted extr(-). For the previous process, we have the following transition: 

h [t2[P2,Q2] I t2.Ri I R2,Qi] —^ h [( 22 ) I extr(P2) | Ri ,Qi] 

In case transaction t 2 is aborted, its compensation behavior Q 2 will be preserved. Moreover, part of the 
behavior of P 2 will be preserved as well: this is expressed by process extr(P 2 )^ which consists of at least 
all protected blocks in P 2 ', it may also contain some other processes, related to transactions (see next). 
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We consider discarding, preserving, and aborting variants for extr(-); they define three different 
semantics for compensations. Noted extrD(-), extrp(-), and extrA(-), respectively, these functions concern 
mostly protected blocks and transactions. Given a process P, we would have: 

• extrD(P) keeps only protected blocks in P. Other processes (including transactions) are discarded. 

• extrp(P) keeps protected blocks and transactions at the top-level in P. Other processes are discarded. 

• extrA(P) keeps protected blocks and nested transactions in P, including their respective compensation 
activities. Other processes are discarded. 

As an example, consider the process P = t\t\ [Pi , Q\] \ t 2 [(^ 2 ) j Qi] \ R \ {P 3 ) , Qs] ■ We then have: 
Discarding semantics: I \ P -^d {P 3 ) \ {Q 5 ) 

Preserving semantics: t \ P -4p (P 3 ) | {Q 5 ) \ ti [Pi, Qi] \ f 2 [(P 2 ), Qi] 

Aborting semantics: I j P -4 a (P 3 ) | (Qs) \ (Pi) I (2i) I (Qi) 

Thus, the three different semantics implement different levels of protection. The discarding semantics 
only concerns the compensation activity for transaction t and the protected block (P 3 ). The preserv¬ 
ing semantics protects also the nested transactions t\ and t 2 ', a process such as R, without an enclosing 
protected block, is discarded. Finally, the aborting semantics preserves all protected blocks and compen¬ 
sation activities in the default activity for t, including those in nested transactions, such as (P 2 ). 

Dynamic Compensations. Up to here we have considered transactions with static compensations: while 
the default behavior may change due to transaction abortion, the compensable behavior remains un¬ 
changed. Given a transaction t[P,Q], using compensation updates one may specify in P an update for 
the compensation behavior Q. This is achieved by the operator inst \XX.Q\ .P, where XX.Q is a function 
which represents the compensation update. As a simple example, consider the following transition: 

t [inst [XX.R\ .Pi I P 2 , e] A t [Pi I P 2 ,R{Q/X}] 

This way, inst[AA.Pj.P produces a new compensation behavior R{Q/X} after an internal transition. 
As variable X may not occur in R, this step may fully discard the previous compensation activity Q. 

3 The Calculi 

We introduce adaptable processes (§ 13.11) and compensable processes (§ 13.21) . To focus on their essentials, 
both calculi are defined as extensions of CCS ifTSl (no name passing involved). In both cases, we assume 

a countable set of names N, ranged over by a,b,l,t, _Asa convention, we use names Z, I',... to denote 

locations (in adaptable processes) and names t,t', ... to denote transactions (in compensable processes). 

3.1 Adaptable Processes 

The syntax of the calculus of adaptable processes is defined by prefixes k,k' ,... and processes P,Q,...: 

K ::= a \ a \ 1{{X).Q} P ::= Z[P] | 0 | TT.P | !P | P | 2 | (va)P | A 

We consider input and output prefixes (noted a and a, respectively) and the update prefix 1{{X).Q}, where 
Q may contain zero or more occurrences of process variable X. The syntax of processes includes located 
processes (noted Z[P] and intuitively motivated above) as well as usual CCS constructs for inaction, prefix 
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(R-I/O) 


(R-Upd) 


C\a.P\ \D[a.Q\ 


(R-Par) 


P' 


C[P] \D[Q] 
(R-Res) 


C[/[P]] \D[l{{X).Q}.R] C[Q{P/X}] |D[P 


P' 


(R-Str) 


P = P' P'^Q' Q' = Q 


P\Q^P'\Q {va)P {va)P’ 

Figure 1: Reduction semantics for adaptable processes. 


Q 


(sequentiality), replication, parallel composition, and restriction. We omit 0 whenever possible; we write, 
e.g., /{(X).P} instead of /{(X).P}.0. Name a is bound in {va)P and process variable X is bound in 
1{{X).Q}-, given a process P, its sets of free and bound names/variables—denoted fn(P), bn(P), f v(P), 
and bv(P)—are as expected. We rely on expected notions of a-conversion (noted =«) and process 
substitution: P{Q/X} denotes the process obtained by (capture avoiding) substitution of Q for X in P. 

The semantics of adaptable processes is given by a reduction semantics, denoted —and defined 
as the smallest relation on processes induced by the rules in Figure [T] — denotes the reflexive and 
fransifive closure of Reduction relies on structural congruence, denofed =, and contexts, denofed 
C,D,E. We define = as fhe smallesf congruence on processes fhaf safisfies fhe axioms: 

P\Q = Q\P P|(e|P) = (P|e)|PP|0 = P 

P = QifP=aQ (Vfl)0 = 0 {va){vb)P = {vb){va)P 

{va)P \ Q = {va){P\Q) if a {va)l[P] = l[{va)P] !P = P|!P 

The synfax of monadic confexfs (processes wifh a single hole, denoted [•]) is defined as: 

C ::=[•] I C|P I l[C] 

We wrife C[P] fo denofe fhe process resulfing from filling in all occurrences of [•] in confexf C wifh 
process P. We commenf on rules in Figure[T] Rule (R-I/O) formalizes synchronizafion befween process 
d.P and process a.Q (enclosed in confexfs C and D, respectively). Rule (R-Upd) formalizes fhe dynamic 
updafe/evolvabilify of a locafion 1. The resulf of fhe synchronizafion befween a locafed process l[P] and 
an update prefix 1{{X).Q} is fhe process Q{P/X'\. This resulfing process sfays in fhe same confexf as 
process Z[P]. Rules (R-Par), (R-Res), and (R-Str) are standard and/or self-explanatory. 

3.2 Compensable Processes 

The calculus of compensable processes extends CCS with constructs for transactions, protected blocks, 
and compensation updates: 

K a\d P,Q ::= 0 | TT.P | !P | (va)P | P|e | t[P ,Q\ | (0 | X | inst[AX.Pj.P 

Prefixes 7t include inpuf and oufpuf acfions. Processes for inacfion (0), sequenfialify (Tt.P), replicafion 
(!P), resfricfion {{va)P), and parallel composition (P | Q) are standard. We omit 0 whenever possible. 
Protected blocks {Q), transactions t[P , Q], and compensation updates inst [AX.Pj .P have been already 
motivated. Error notifications are simply output messages; they can be internal (coming from the default 
activity) or external (coming from outside of the transaction). Name a is bound in {va)P and variable 
X is bound in inst[AX.Pj; given a process P, its sets of free and bound names/variables—denoted 
fn(P), bn(P), fv(P), and bv(P)—are as expected, a-conversion (noted =«) and substitution P{2/x} 
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extrD(f[P, 2 ]) =0 extrp(l[P,e]) =l[P,e] 

extr((P)) = (P) extr(P | Q) = extr(P) | extr(2) 

extr(!P) = 0 extr(inst [AX.Qj .P) = 0 


extrA(f[P,2]) = extrA(P) | (0 
extr((va)P) = (va)extr(P) 
extr(;r.P) = 0 


Figure 2: Extraction functions. 


are also as expected. We assume that protected blocks and transactions do not appear behind prefixes; 
this is key to ensure encoding correctness. We shall say that the sub-calculus without compensation 
updates inst[AX.Pj.P is the calculus with static compensations', the full calculus will be referred to as 
the calculus with dynamic compensations. The following definitions apply uniformly to both. 

Following II12U13L the semantics of compensable processes is given in terms of a Labeled Transition 
System (LTS). Ranged over a, a', the set of labels includes a, a, T, and XX.Q. As in CCS, a denotes an 
input action, a denotes an output action, and T denotes synchronization (internal action). Label XX.Q is 
associated to compensation updates. Formally, we have three different LTSs, corresponding to processes 
under discarding, preserving, and aborting semantics. Therefore, for each fc € {D,P, A}, we will have an 
extraction function extrK;(-) and a transition relation The different extraction functions are defined 
in Fig.m the rules of the LTSs are given in Fig.[3l As a convention, whenever a notion coincides for the 
three semantics, we shall avoid decorations D, P, and A. This way, e.g., by writing extr((P)) = (P) we 
mean that the extraction function for protected blocks is the same for all three semantics. 

We comment on the rules in Fig.[3l Axioms (L-OUT) and (L-1n) execute output and input prefixes, 
respectively. Rule (L-Rep) deals with replication, while rule (L-Par) allows one parallel component 
to progress independently. Rule (L-Res) is the standard rule for restriction: it states that a transition of 
process P determines a transition of process {va)P, where label a provides that the restriction name a 
does not occur inside a. Rule (L-Comm) defines communication on a. Rule (L-SCOPE-OUT) allows 
the default activity P of a transaction to progress, provided that the performed action is not a compen¬ 
sation update and that there is no pending compensation update to be executed. The latter is ensured by 
condition noComp(P), defined in fT): the condition is true if and only if process P does not have com¬ 
pensation update which waits for execution. This means that a compensation update has priority over 
other transitions; that is, if process P in transaction t[P ,Q] has a compensation update at top-level then 
it will be performed before any change of the current state. Rule (L-Recover-Out) allows an external 
process to abort a transaction via an output action J. The resulting process contains two parts: the first 
part is obtained from the default activity P of the transaction via the appropriate extraction function; the 
second part corresponds to compensation Q which will be executed inside a protected block. Similarly, 
rule (L-Recover-1n) handles abortion when the error notification comes from the default activity P of 
the transaction. Rule (L-Block) essentially specifies that protected blocks are transparent units. Ob¬ 
serve that the actual semantics of protected blocks is defined via the extraction functions extr(-). The 
final two rules are peculiar of processes with dynamic compensations: while rule (L-Inst) performs a 
compensation update, rule (L-Scope-Close) updates the compensation of a transaction. 

We find it convenient to define structural congruence (=) and contexts also for compensable pro¬ 
cesses. We define = as the smallest congruence on processes that includes =a and satisfies the axioms: 


P\Q^Q\P 
{va){vb)P = {vb){va)P 

m) = (p) 


P\{Q\R) = {P\Q)\R 
{va)P\Q=iva){P\Q) ifa^fn(0 
{{va)P) = (va)(P) 


P|0 = P 
(va )0 = 0 
( 0 ) =0 
{va)a = 0 


t[{va)P,Q] = {va)t[P,Q] iit^a,ai fn(2) 
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(L-Out) (L-In) 
d.P^P a.P^P 


(L-Rep) 

P^P> 

\P^P'\ \P 


(L-Par) 

P^P' 

P\Q^P'\Q 


(L-Res) 

P ^ P' a ^ a,d 
{ya)P A {va)P' 


(L-Comm) 
P^P' Q^Q' 
P\Q^P'\Q' 


(L-Scope-Out) 

P ^ P' a^XX.Q noComp(P) 
t[P,Q]^t[P',Q] 


(L-Recover-Out) (L-Recover-In) 

noComp(P) P ^ P' noComp(P) 

t[P,Q\^ extr(P) I (0 t[P,Q]^ extr{P') \ (0 


(L-Block) 

p^p' 

ip) A {P') 


(L-Inst) 

inst[AX.0 .P^^P 


(L-Scope-Close) 


t[P,Q]P^t[P',R{Q/X}] 


Figure 3: LTS for compensable processes. Symmetric variants of (L-Par) and (L-Comm) are omitted. 


An n-adic context C[«i is obtained from a process by replacing n occurrences of 0, that are neither 

compensations nor in continuation of prefixes, with indexed holes [•„]. This way, for instance, 

the syntax of monadic contexts is defined as: 

C ::=[•] I (C) I t[C,P] I P\C \ C\P \ {va)C. 

We wrife C[P] fo denofe fhe process resulting from filling in all occurrences of [•] in confexf C wifh 
process P. The following proposition is cenfral fo our operational correspondence sfafemenfs. 

Proposition 3.1. Let P be a compensable process. IfP P' then one of the following holds: 

a) P = £'[C[a.Pi] I D[a.P 2 ]] andP' = E[C[Pi] \ D[P 2 ]], 

b) P = E[C[t[Pi,Q]] \D[t.R]] andP'= E[C[extr{Pi) \ (0] |D[/?]], 

c) P = C[t[D\i.Pi],Q]] andP' = C[extr{D[Py]) \ (0], 

d) P = £'[f[C'[inst[AA./?J.P],0] and P'= E[t[C'[P], R{Q/X}]], 
for some contexts C,C',D, E, processes Pi,P 2 ,Q,R, and names a,t. 


4 Encoding Static Compensation Processes 

Here we presenf encodings of processes wifh sfafic compensafions info adapfable processes. We consider 
discarding, preserving and aborting semanfics. We adopf fhe following abbreviations for updafe prefixes: 

• f{t} for fhe updafe prefix t{(T).0} which “kills” location t, fogefher wifh fhe process located af f, 

• t{P} for fhe update prefix tKy)./*} (wifh Y 0 f v(/’)) fhaf replaces fhe currenf behavior af t wifh P; 

• t{id} for fhe update prefix t{(A).A} which deletes fhe location name f, 

• t{{Xi,X 2 ,... for fhe sequential composition of updates t{{Xi).t{{X 2 )■ ■ ■ ■ .f{(2 f„)./?}}}. 

Basic Intuitions. We describe some commonalities in the encodings we are about to present. Unsur¬ 
prisingly, the main challenge to encodability is in representing transactions t[P ,Q] and protected blocks 
(/?) as adaptable processes. Our strategy consists in representing P and Q independently, using located 
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processes. Since locations are transparent units of behavior, this suffices for encoding P. However, 
the encoding of Q cannot freely execute unless an abortion signal (an output action) is received. Very 
approximately, our encodings of protected blocks and transactions have the following structure: 

l{R)l,p = _ (1) 

lt[P,Q]jp = t[Mrp] \ lr.7l,.---.7Lk.pr[lQl.pl \tTt.K (2) 

(a) (b) 

In our encodings we use paths, finite sequences of names, denoted ti,f 2 ,... ,t„. The empty path is denoted 
e. Ranged over p, paths capture the hierarchical structure of nested transactions. Using paths, for each 
protected block, we maintain an association with the name of its enclosing transaction. As such, the 
encoding of a protected block associated to transaction t will be enclosed in a location pt (see ([Hi above). 
There could be more than one occurrence of such locations, as the transaction’s body may contain several 
protected blocks. The encoding of transactions, given in (O, consists of three parallel components: 

• Component (a) is a location which contains the encoding of the default activity of the transaction; we 
retain the name of the transaction in the source process. 

• Component (b) represents the compensation activity of the transaction. It is given as a located process 
at Pt, and is protected by a number of prefixes TTi, • • • , including an inpuf prefix It. 

• Componenf (c) handles abortion signals. Afler synchronizing wifh an oufpuf on t, if synchronizes wifh 
fhe inpuf on It in componenf (b). This releases a process K which “collecfs” all profecfed blocks in 
fhe encoding of P (which occur inside locations named pt) buf also fhe encoding of fhe compensation 
activity Q. This collection process may involve synchronizations wifh tti,■ • • ,in (b). Once all 
profecfed blocks have been collecfed, locafion t is desfroyed. 

This (very approximate) sfrafegy is used in all of our encodings, wifh variations mofivafed by discarding, 
preserving, and aborting semanfics. Knowing fhe number of profecfed blocks fo be collecfed is crucial 
in fhis scheme. To fhis end, appropriate counting functions on fhe defaull acfivify P are defined. 

The following remark defines some basic conditions on “reserved names” used in our encodings: 
Remark 4.1. Let t be a name, then we know that there are names lt,kt,pt and mt which are associated 
with the name t. Also, if t\ t 2 then lt^ lt 2 ,kt^ 7 ^ h^^Pti 7 ^ Pt^ and nit^ 7 ^ 


4.1 Discarding Semantics 


Before presenting fhe encoding, we infroduce some auxiliary funclions. Firsf, we infroduce a funclion 
thaf counfs fhe number of profecfed blocks in a process. 

Definition 4.2 (Number of profecfed blocks). Let P be a compensable process. The number of protected 
blocks in P, denoted by npb] 3 (P), is defined as follows: 


npbD(P) 


' 1 ifP = {Pi) 

npbo(Pi) + npbu (P 2 ) i/P = Pi | P 2 
npbD(Pi) ifP = {va)Pi 

0 otherwise. 


We shall define an encoding D|{-]]p of compensable processes info adapfable processes, where p is a pafh 
(a sequence of locafion names). The encoding of fransacfions requires an auxiliary encoding, denoted 
D|| • lip, loosely related fo componenf (b) in (IH. In case of an abortion signal t, D|| • H” defines a process 
fhaf collecfs fhe encodings of fhe n profecfed blocks included in fhe defaull activity (which is fo be found 
al p) as well as fhe encoding of fhe compensation acfivify. We define D|| • ||p by induclion on n\ 
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Definition 4.3 (Auxiliary Encoding). Let Q be a compensable process and let po = t,p be a path. Also, 
let n>0. The process D||2||”jj is defined as follows: 

D||G||?,p = It-m-Pp [D[Gle] I mt.kt.ti^} 

D||2|lr,p= h-Pt,p[iXu--- ,Xn).z{pp[Xi] I \pp[X„] |m7.;7p[D|e]le]}|.(z[0] | [n > 0] 

(The definition of D|{-]]p is given next.) Consider the encoding of t[P,Q]\ if P contains n top-level 
protected blocks, then process D[f[/’,2]]p will include n successive update prefixes that will look for n 
protected blocks at location p, p (the path points that they were enclosed with t) and move them to their 
parent location pp . As these n dynamic updates leave these located processes at location t, an update on 
z is introduced to take them out of t once the n updates are executed. 

We are now ready to introduce the encoding D|{-]]p. Recall that we adhere to Remark |4~T1 

Definition 4.4 (Encoding Discarding Semantics). Let P be a compensable process and let p be a path. 
The encoding D[-]p of compensable processes into adaptable processes is defined as follows: 


Dl(P)lp=Pp[D[Ple] 

D[Pi I Pzlp = D[Pi1p I D[P2lp 


D[t[p,<2]ip = f[D[Pkp] I I 

DMp = TT.DIPIp D[!P1p=!D[P1p 


t.lt.kf.O D[[0]]p=0 
D[(va)Plp = (va)D[Plp 


Key cases are encodings of protected blocks and transactions, as motivated earlier. Each protected block 
is associated with a location p indexed with the path to the protected block. A transaction is encoded as 
the composition of three processes. The leftmost component encodes the default activity P preserving 
the nested structure. In case of an abortion signal on t, the rightmost component will execute the middle 
component by sending message b. As already explained, this second component will find all the top- 
level encodings of protected blocks of P, moving them to locations pp together with the encoding of 
compensation activity Q. We may formalize these observations using the following lemma: 

Lemma 4.5. Let t[P ,Q] be a transaction with default activity P and compensation Q. Then we have: 
r[D[Pl,,p] D[extrD(P)lp|D[(01p. 


The following statement attests the operational correspondence for our encoding: 

Theorem 4.6. Let P be a compensable process and let p be an arbitrary path. 

a) IfP 4d P' then D[P]p D[Plp. 

b) TfDjPjp —)• Q then there is P' such that P A-p P' and Q DjP'Jp. 

We illustrate our encoding by means of an example: 

Example 4.7. Let Pq = t[P | (P),2] \1 be a compensable process with npbp(P) = 0. Then 
Po -^D {P) I (O- Py expanding Def. \4.4\ we obtain (recall that we omit 0 whenever possible): 


DiPole = t 

= t 

= D 


DlP|(P)k£ \D\\Q\\l.e\t-lt.kt\t 


D|Plf,e I p,,e[D[P]]e] | /,.p(,e|(A).z{pe[A] | [DfQje] }|.(z[0] | m,.k,.t{^}) \ t.^.k, \ t 


I z{pe[DMe] | -Pe [D[Gle] } 

m I ( 01 r 


Z[0] I mt.kt.t{t} I kt pe [D|Ple] I pe [D[[2]£ 
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4.2 Preserving Semantics 

The encoding of compensable processes with preserving semantics is as the previous encoding. In this 
case, since the extraction function keeps both protected blocks and top-level transactions (cf. Fig.lUl, our 
auxiliary encoding, denoted P|| • ||p'”, has two parameters: n denotes protected blocks and m denotes top- 
level transactions. We count protected blocks using Def. l4.2l to count transactions we use the following: 

Definition 4.8 (Number of transactions). Let P be a compensable process. The number of transactions 
which occur in P, denoted iLts(P), is defined as follows: 


Tits{P) 


' nts(A) + l ifP = t[PuQi] 

nts(Fi) -I- nts(P 2 ) ifP = P\ \P 2 
nts(/’i) ifP={va)P\ 

0 otherwise. 


The encoding of the transaction body P with location t that is nested in location fip. 

Before giving the encoding P[[-]lp, we define the auxiliary encoding P|| • Up™, where p is a path, n is the 
number of protected blocks, and m is the number of transactions in the default activity. 

Definition 4.9 (Auxiliary Encoding). Let Q be a compensable process and let po = t,p be a path. Also, 
let n,m>0. The process P||2||p|,™ is defined as follows: 


P||2ll,'i" 

PII2II?) 

PII2II,";” 


It.mt.a.pp [P|ele] | m,.kt.t{^} 

lt.pt,p^{X\).z{a.pp[Xi] I m7.pp[P[2]]e]}|.(z[0] |m,.kf.f{t}) 
lt.fit,p\^{Yi).z{a.pp[Yi] |7n7.pp[P|e]le]}|.(z[0] \ mt.k,.t{^}) 
h-Pt,p^{Xi,-• ■ ,X„).l5tp^{Yi,-■ ■ ,Yfn).z{pp[Xi] \ ■■■ |pp[2f«] 

\a.{pp[Yi] I ••• |j8p[Tm]) |m7-Pp[P[Gle]}||-(z[0] | [n,m>0] 


We may now define the encoding P|-]p: 

Definition 4.10 (Encoding Preserving). Let P be a compensable process and let p be a path. The 
encoding P|l-]lp of compensable processes into adaptable processes is defined as 


Pl(^)lp=Pp[PM^ 


pit[p,Q]jp=i5p t[piPi,p] |p|ier: 


npbp (P),nts(P) 


t.lt.kt.j 


j.j8p{id}.a 


and as a homomorphism for the other operators. 

The following lemma formalizes the execution of the encoding: 

Lemma 4.11. Let t[P,Q] be a transaction with default activity P and compensation Q. Then we have: 


iSp kPMr.p] I .] 


j.pp{\d}.a P[extrp(P)]lp | P[[(01p. 


We then have the following statement of operational correspondence: 
Theorem 4.12. Let P be a compensable process and let p an arbitrary path. 

a) IfP Ap P' then P[P]p P[Plp. 

b) IfPlPjp —> Q then there is P' such that P -^p P' and Q P[[Plp- 
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Example 4.13. Let Pq be a compensable process in Example 14.71 with R = t\[P\,Q\] and 
npbp(/’i) = nts(/’i) = 0. In the preserving semantics we have: Pq -^p fi[A)Gi] I (P) I (0- Py 
expanding Def. \4.l6\ we obtain: 


PMe = Pe 
= Pe 


t[Hh[Pi,Qi] I 0)]?.e] I P||0|f,e I t.Tt.ktJ I 7.j8e{id}.a 1 1 
f[j8r,e M \ j.pt,e{'<^}-d \ Pt,e[HP}e]] I ^;-ft.e|0i).j8f,e|(Ei).z{pe [Xi] \ a.[5e[Yi] 
I mi-Pe [P[[2l< 


>.(z[0] I m,.kt.t{-t}) I tdfkfj I j.pe{\d}.a \ t 
Pe ?[z{Pe[PlPle] | a.jSg [m] \ m;.pe[PlQ}e]} | 7.jSf,e{id}.a] | z[0] | \kt.J 

I j.pei'idj.a 


Pe 

Pe 


? [0 I j.pt.e{'d}.a] I pe[P|/’]le] | a.jSg [M] | Pe[P[0e] | f{t} | j 

[m] \ p,[Pn]\ PeiPMe] 


j.[5e{\d}.a 


where M = ti[PlPi}ti,t,e] | P||Gi 11?,’° e \ t\.l,^.k,^.j. 


4.3 Aborting Semantics 


We now discuss the encoding of compensable processes with abortion semantics. While preserving the 
structure of the two encodings already presented, in this case the extraction function (cf. Fig. ^ add 
some complications. We need to modify the function that counts the number of protected blocks in a 
process; also, collecting encodings of (nested) protected blocks requires so-called activation processes 
which capture the hierarchical structure of nested transactions (cf. Def. l4.16l) . 

Definition 4.14 (Number of protected blocks). Let P be a compensable process. The number of protected 
blocks in P, denoted by npb,^(P), is defined as follows: 


1 


npb,(P)= 


npb,^(Pi) + l 

npbA(Pi)+npbA(P 2 ) 

npb,^(Pi) 

0 


ifP={Pt) 
ifP = t[Pi,Qi] 
ifP = Pi I P2 
ifP={va)Pi 
otherwise. 


We now define the auxiliary encoding, denoted A||2||p. This process, as explained above, collects all 
encoded protected blocks of a process, in a case that an error notification is activated. 

Definition 4.15 (Auxiliary Encoding). Let Q be a compensable process and let po = t,p be a path. Also, 
let n>0. The process A||2||pjj is defined as follows: 

A||0|?,p =lt-mi-Pp[HQ}e] \mt.kt.t{^}.rt,p 

A||2||"p =h-Pt,p[{Xi,--- ,Xn).z{pp[Xi] I \pp[Xn] I m7-Pp[Al2le]}|.(z[0] I m,.k,.t{t}.rf,p) [n > 0] 

where r,_p = Yn{{Zi).Yti[ivlt)ivkt){Zi \ It.Ft)]}.--- . 7 ,„{(Z„). 7 ,„[(vZ,)(vkf)(Z„ | /i.^)]}.7{t}- 
To appropriately collect nested protected blocks, we define a so-called activation process fhat capfures 
the hierarchical structure of nested transactions. 

Definition 4.16 (Activation Process). Let St{P) denote the containment structure of compensable process 
P, i.e., the labeled tree (with root t) in which nodes are labeled with transaction names and sub-trees 
capture transaction nesting. The activation process for P, denoted Ift{P), is the sequential process 
obtained by a post-order search in St{P) in which the visit to a node labeled Ci adds prefixes la-ka. 
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This way, e.g., given P = a [4Pi, | ^, GJ I ^1^3 \d[P 4 , Q 4 ] I «[^5 ,Gs] ,Ga] we will have the acti¬ 
vation process ^t{P) = Ic-kc-la-ka-ld-kd-h-ke.lh.kti.lfkt ■ 

Now we have all necessary definitions for introducing of the encoding A[-]p of compensable pro¬ 
cesses into adaptable processes with respect to aborting semantics. Notice the use of activation processes 
in the encoding of transactions: 

Definition 4.17 (Encoding Aborting), Let P be a compensable process and let p be a path. The encoding 
A|{-]]p of compensable processes into adaptable processes is defined as 

A[(P)lp = Pp[A[Pla] Alt[E,G]lp=f[A[El,,p] |7r[T 

and as a homomorphism for the other operators. 

With respect to previous encodings, the encoding for aborting semantics differs in the rightmost process 
of the encoding. In this case, the activation process ^(P) searches the subtree of the transaction body to 
activate the middle components of all nested transactions inside t. 

The following correctness statements follow the same ideas as in the two previous encodings. In the 
sequel, we write ^ to denote a (weak) behavioral equivalence that abstracts from internal transitions (due 
to the synchronizations added by the activation process). 

Lemma 4.18. Let t[P ,Q] be a transaction with default activity P and compensation Q. Then we have: 

t[AlPl,p] I AllGr.r^'^^ I yAW)] Alextr,(P)lp | A[(G)lp | E.p | 7 [O]. 

Theorem 4.19. Let P be a compensable process and let p be an arbitrary path. 

a) IfP 4a P' then A[P]p A[Plp. 

b) 7/'A[[P]p —G then there is P' such that P 4a P' and Q Q! and Q' ~ A[P']p. 

5 Encoding Dynamic Compensation Processes 

We discuss how to extend the previous encodings to account for compensation updates inst [AT.Pj .P. 
Due to space constraints, we only describe required extensions to previously given definitions/statements. 

Discarding Semantics. We first have the following extension to Def. l4.2l 

Definition 5.1 (Number of protected blocks). Let P be a compensable process such that P = 
inst [AF.PJ .Pi. The number of protected blocks in P, denoted by npb(P), is equal to npb(Pi). 

The definition of the auxiliary encoding, given in Def. 14.31 is extended as follows: 

Definition 5.2 (Auxiliary encoding). Let Q be a compensable process and let po = t,p be a path. Also, 
let n>0. The process pUGlIpo defined inductively on n as follows: 

dIIG||?,p = it-ml-Pp[u[f.g]] I mt.kt.t{-\} \ v[u{{Z).{Z \ vi[D[Gle] | /.vi{id}.v{id}.g)}] 
dIIG||”p = lfPt,p{{Xi,--- ,X„).z{pp[Xi]\ ■■■ \pp[Xn]\nfi.pp[u[f.g]]}'^ 

.(z[0] \ mt.kt.t{t}) I v[m{(Z).(Z I vi[D[Gle] |/.vi{id}.v{id}.g)}] [n > 0] 
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Based on the above modifications, the encoding of processes with dynamic compensations is obtained 
by extending Def. l4.4l with the following: 

n = Y 

D[instLAy./?J.Pl,,p = u[0]\v,{{Y).g.v{iX).X\v[u{{Z).{Z\ 

^’i[D[Plp] |/.vi{id}.v{id}.g)}]} I D[P]lf,p}.7.(v[0] |vi[0]) 

We then have the following property: 

Lemma 5.3. Let t[P ,Q] be a transaction with default activity P and compensation Q. Then we have: 

? [D^p] I I l.k, D[extrD(P)lp | Dl(P)lp 

Lemma 5.4. If R is a compensable process such that all free occurrences of process variable X in it are 
replaced with a process Q then the following encoding holds: |P{2/^}]p = [PjplKlp/.X'}. 

Operational correspondence for the extended encoding follows from the following theorem: 
Theorem 5.5. Let P be a compensable process and let p be an arbitrary path. 

a) If P P' then there is an adaptable process P” such that D[P]]p —?•* P" and P” ~ D[[Plp • 

b) 7/'D[[P]p —)■ Q then there is P' such that P A-p P' and Q DjP'Jp. 


Preserving Semantics. The function that counts the number of protected blocks in inst [AT.PJ .P is 
the same as in Def. 15.11 while a function that counts the number of transactions is defined nexf. 
Definition 5.6 (Number of transactions). Let P be a compensable process such that P = inst [AF.Pj .Pi. 
The number of transactions which occur in P, denoted nts(P), is equal to nts(Pi). 

We have the following extension of Def. 14.91 

Definition 5.7 (Auxiliary encoding). Let Q be a compensable process and let po =t,p be a path. Also, 


let n,m> 

0. The process'^\\Q\\^f^ is defined ai 

'follows: 


^lieil?;p° 

= If.mt.a 

■PpHf-g]] \mt.k 

r4{t} 1 

v[u{{Z).{Z 1 vi[P[[ele] 1 /.vi{id}.v{id}.g)}] 

^lieii;;p° 

= lt-Pt,p\ 

[^(Xi).z{a.pp[Ai] 

1 rnl-Pp 


m,.kt.t{^}) 


|v[n{(Z).(Z|vi[P[(2le] 

1 f-vi{ 

id}.v{id}.g)}] 



— h-Pt.p^ 

[{Y,).z{a.Pp[Y:] 

1 ml-Pp 

[«[7-§]]}}-(2[o] 

1 mt.k,.t{-l}) 


|v[n{(Z).(Z|vi[P[e], 

] |/.vi{id}.v{id}.g)}] 



= lt-Pt,p\ 



• ,Ym)-z{pp[Xi] 1 

Pp [^ 2 ] 1 • • • 1 Pp [Xn] 


a-{Pp[Yi] I ••• \Pp[Y,n]) |m(.pp[M[/.g]]}||.(z[0] | | v[m{(Z).(Z | vi[P[2]le] 

/.vi{id}.v{id}.g)}] [n,m>0] 


We then have the following extended correctness statements: 

Lemma 5.8. Let t\P ,Q\ be a transaction with default activity P and compensation Q. Then we have: 


h 


<[P[PMI?II2II 


npbp(P),nts(P) 

t.P 



7 .j3p{id}.a P[[extrp(P)lp | P[(01p 


Theorem 5.9. Let P be a compensable process and let p be an arbitrary path. 

a) If P Ap P' then there is an adaptable process P” such that P[P]]p P” and P” ~ P[[Plp • 

b) IfPlPjp —> Q then there is P' such that P -^p P' and Q P[[Plp. 
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Aborting Semantics. The encoding of processes with dynamic compensations and aborting semantics 
is obtained by extending Def. l4.17l with the encodings of process variables and compensation updates, 
which are the same as in discarding and preserving semantics. The function that counts protected blocks 
in compensation updates npb(inst .P) is as in Def. l5.ll We require an extension to Def. l4.15l 

Definition 5.10 (Auxiliary encoding). Let Qbe a compensable process and let po = t, p be a path. Also, 
let n>0. The process aIIGIIpq defined as follows: 

IWQWrp = h-mt.pp [u[flg\\ I mt.kt.t{^].Tt^p \ v[u{{Z).{Z \ vi[A[[2le] | /.vi{id}.v{id}.g)}] 

aII2II”p = ,Xn).z{pp[Xi\ \pp[X2] I ••• \ pp[Xn] \m-fPp[u[f.g]]}^ 

.(z[0] I m,.k(.f{t}.r,^p) I v[m{(Z).(Z I vi[A[[2]e] |/.vi{id}.v{id}.g)}] [n > 0] 

We then have the following extended correctness statements: 

Lemma 5.11. Lett[P,Q\ be a transaction with default activity P and compensation Q. We have: 

?[A[Plrp] I I 7t[^t{P)\ AlextrA(P)]p | A[(01p | r,,p | 7,[0]. 

Theorem 5.12. Let P be a compensable process and let p be an arbitrary path. 

a) IfP P' then there is an adaptable process P” such that Al^Jp —?•* P” and P" ~ AjP'Jp. 

b) /f AjPjp —Q then there is P' such that P A^a P' <^nd Q AjP'Jp. 

6 Concluding Remarks 

We have compared, from the point of view of relative expressiveness, two related and yet fundamentally 
different process models: the calculus of compensable processes (introduced in 113) and the calculus of 
adaptable processes (introduced in f3)- We provided encodings of processes with static and dynamic 
compensations (under discarding, preserving, and aborting semantics) into adaptable processes. Our 
encodings not only are a non trivial application of process mobility as present in adaptable processes; 
they also shed light on the intricate semantics of compensable processes. As encoding criteria, we have 
considered compositionality and operational correspondence (up-to weak equivalences), as in ifTTI . It 
would be insightful to establish encoding correctness with respect to all the criteria in ITTI . 

Our study opens several interesting avenues for future work. Having addressed the encodability of 
compensable processes into adaptable processes, we plan to consider the reverse direction, i.e., encod¬ 
ings of adaptable processes into compensable processes. We conjecture that an encoding of adaptable 
process into a language with static compensations does not exist: compensation updates inst \XX.Q\ .P 
seem essential to model an update prefix 1{{X).Q}.P —the semantics of both constructs induces pro¬ 
cess substitutions. Still, even by considering a language with dynamic compensations, an encoding of 
adaptable processes is far from obvious, because the semantics of compensation updates dynamically 
modifies fhe behavior of fhe compensation acfivify, fhe inacfive parf of a fransacfion. Formalizing fhese 
(non) encodabilify claims is inferesfing fulure work. Anofher promising direction is fo casf our encod- 
abilify resulfs info varianfs of adapfable and compensable processes wifh session types: a candidafe for 
source language could be fhe typed calculus wifh interactional exceptions developed in |ltii|; as largel 
language, we plan fo consider extensions of adapfable processes wifh session types I^ITOl . 
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